Skip to content
Textkernel Salesforce Connector
Salesforce External Client App
latest

Configure Salesforce External Client App for TKPortal SSO🔗

This guide walks you through configuring a new Salesforce org to use the Textkernel unpackaged External Client App (ECA) as the SAML 2.0 Identity Provider for single sign-on with Textkernel Portal. It also covers how to migrate an existing SAML configuration from the packaged Portal Connected App to the External Client App.

The External Client App is unmanaged — it is not distributed through the Salesforce AppExchange but instead provided by Textkernel as a textkernel_connector_saml_eca_package.zip file, which you deploy manually into your org using Workbench.

Deploy the unpackaged External Client App via Workbench🔗

Before configuring the Identity Provider, you must deploy the External Client App metadata to your Salesforce org using Workbench.

  1. Log in to Workbench Navigate to SF Workbench and log in to your target Salesforce org.

  2. Navigate to Deploy Go to the Migration menu and select Deploy.

  3. Upload the package

    1. Download the ECA zip file here.
    2. Click Choose File and select the textkernel_connector_saml_eca_package.zip file provided by Textkernel.
    3. Check the Single Package checkbox.
    4. Set the Test Level appropriate for your org type:
      • For sandboxes or developer orgs, select NoTestRun.
      • For production orgs, select RunLocalTests.

  4. Deploy Click Next, review the deployment details, and then click Deploy to start the process. Monitor the results on the confirmation page.

Setup Identity Provider🔗

This section describes how to configure Salesforce as your SAML 2.0 Identity Provider, so that Salesforce users have single sign-on access to Textkernel Portal. If you are using a different identity provider, the configuration steps will differ.

Important

Your environment values will be different from the examples shown here. Please contact your assigned Technical Consultant to receive the correct settings for your org.

Step 1: Enable Identity Provider🔗

Go to SFDC Setup → Identity Provider → Enable Identity Provider.

Note

This step is only required for a new setup. If you are migrating from the packaged Connected App to the External Client App and Identity Provider is already enabled, you can skip this step.

Step 2: Set Up a Certificate🔗

Depending on your identity architecture, either create a Self-Signed Certificate or upload your own certificate.

To upload an existing certificate:

  1. Go to SFDC Setup → Certificate and Key Management.
  2. Click Import From Keystore.
  3. Click Choose File and select your certificate file.
  4. Enter the keystore Password.
  5. Click Save.

Note

This step is only required for a new setup. If you are migrating from the Connected App to the ECA and a certificate is already available, you can skip this step.

Step 3: Configure the "Textkernel Portal" External Client App🔗

  1. Go to SFDC Setup → External Client App Manager.
  2. Find the Textkernel Portal app, open its dropdown menu, and select Edit Policies.

3a. Assign Profiles or Permission Sets🔗

In the App Policies section, select the appropriate (non-managed) Profiles and/or Permission Sets to control which users have access to this app. Use only non-managed entities.

3b. Update the Custom Attribute Value🔗

Locate the Custom Attribute with the key http://textkernel.com/auth/portal/account and update its value to match the Portal Account field configured in your Textkernel Credentials custom setting.

For example, change:

"$Setup.Textkernel1__Credentials__c.Textkernel1__PortalAccount__c"

to your actual portal account identifier, for example:

"tk_development"

Note

You will receive the correct Portal Account value from Textkernel customer support.

3c. Share Your Metadata with Textkernel🔗

Save the External Client App configuration, then share your org's metadata with the Textkernel support team by clicking the Download Metadata button in the SAML Login Info section, and sending the file to Textkernel support.

Note

This step is only required for a new setup. If you are migrating from the Connected App to the ECA, you can skip this step.

3d. Configure SAML Policies🔗

Once you receive confirmation from the Textkernel support team that your metadata has been set up on their side, configure the SAML Policies for the External Client App. Click Edit Policies and fill in the following fields:

Field Value
Entity Id value received from Textkernel
ACS URL value received from Textkernel
Issuer value received from Textkernel
Signing Algorithm for SAML Messages SHA256
IdP Certificate Select the certificate configured in Step 2

Important

The Signing Algorithm for SAML Messages must be set to SHA256. SHA1 must not be used.

3e. Save and Enable the External Client App🔗

Save your changes and enable the External Client App.

Step 4: Disable SAML on the Existing 'Portal' Connected App (Migration only)🔗

Note

This step applies only when migrating from the packaged Connected App to the External Client App. Skip this step for new setups.

To avoid conflicts, you must disable the SAML configuration on the original Portal Connected App:

  1. Go to Setup → Manage Connected Apps and open the Portal Connected App for editing.

  2. Update the following fields to their disabled placeholder values:

    Field Value
    Entity ID DISABLED
    ACS URL DISABLED
    Issuer DISABLED
    IdP Certificate Default IdP Certificate

  3. Save the Connected App.